1 / 10

Kerberos Delegation

GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Kerberos Delegation. Basic Delegation. Front-End Server. Back-End Server. Client. Password. TGT: User. TGS : Back-End. DC.

kendis
Download Presentation

Kerberos Delegation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Kerberos Delegation

  2. Basic Delegation Front-End Server Back-End Server Client Password TGT: User TGS: Back-End DC

  3. Kerberos Delegation Options

  4. Kerberos Delegation Options • Unconstrained Delegation • DFL 2000 • to any back-end service • user “knows” about it • Constrained Delegation • DFL 2003 • to listed back-end SPNs • user does not know about it • Constrained Delegation with Protocol Transition

  5. Kerberos Delegation (Simplified) Front-End Server Back-End Server Client TGS: Front-End TGT: User TGS: Back-End TGS: Front-End DC DC

  6. AD Delegation Requirements • Front-end account must be able to read tokenGroups and tokenGroupGlobalandUniversal attributes • Windows Authorization Access Group • 2003 schema update • User account must have delegation enabled • Account is sensitive and cannot be delegated

  7. Protocol Transition Requirements • Protocol Transition requires Act as part of operating system (SeTCBPrivilege) • Protocol Transition requires front-end resource domain = account domain

  8. Kerberos with IIS 7+ • Providers • Kernel Mode Authentication • SharePoint does not support it • useAppPoolCredentials

  9. Protocol Transition Front-End Server Back-End Server Client Nothing Kamil TGS: Back-End DC

  10. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!

More Related